Kaspersky's antivirus software takes non-threatening files (updated)

Kaspersky's attempt to quash collusion fears through transparency isn't quite reassuring everyone. In an interview with Reuters, founder Eugene Kaspersky has acknowledged that his company's antivirus software has copied files that weren't marked as direct threats. In one example, the program removed GrayFish, a tool meant to corrupt Windows' startup sequence. Reuters sources also claim that Kaspersky's software once grabbed the photo of a suspected hacker from their computer, although the CEO didn't confirm this. He declined to talk about too many specific instances out of concern that it might help hackers cover their tracks.

The revelation doesn't affect the company's brief possession of classified NSA files (those were part of a larger file deemed suspicious). However, it's definitely not normal -- antivirus software typically only targets files that are direct risks. And in the case of competing antivirus tools, like F-Secure, it's not uncommon for them to ask permission before they upload anything.

This doesn't mean that Kaspersky's tool is doing anything sinister. According to Kaspersky, it's really about catching "cyber criminals." However, the revelation certainly isn't going to allay concerns that Kaspersky might have helped the Russian government conduct espionage. If the company can take files that don't have an immediate bearing on a PC's security, what's to stop it from passing on files that Russian intelligence might want?

As it is, this also highlights a broader issue with antivirus software as a whole. As Trail of Bits chiefDan Guido explained, many antivirus programs collect a large amount of data about the computers that run them, if often out of necessity. It wouldn't take much for a less-than-upstanding company or a hacker to misuse that info, and you may want to be sure that you're comfortable with how an AV suite handles your data before you use it.

Update: Kaspersky disputes claims he said the software takes non-threatening files. Reuters has since modified its piece to reference the AV tool taking "inactive" files.